Posted: Fri Dec 17, 2010 20:56 Post subject: DNSmasq & rebind
Today I wrote a script to check a bulk of IP's on a set of DNSBL (DNS blacklists). It also checks the DNS blacklist itself.
I then noticed that my script disqualified zen.spamhaus.org. That's a bit strange as this is a major blocklist which passed that same script when I ran it at work.
I then investigated it by hand by issuing this command on the command-line of my Ubuntu-server:
Code:
# host -tA 2.0.0.127.zen.spamhaus.org.
2.0.0.127.zen.spamhaus.org has no A record
I then tested it with my ISP's DNS, maybe they are doing something funny, but no it was alright, just like google's DNS
Really? Did you miss or forget about the whole DNS rebind attack last summer? Look it up.
The attack itself isn't too serious because you have to browse a site and then through rebinding they get your browser to access your WAN IP (the router in most cases) and then they have to login to the browser. This pretty much limits it to firmwares that have a default username/password which dd-wrt hasn't for 2 years.
DNS rebinding is still generally bad and leads to other attacks so it is now blocked by default. Just look at it, they're sending you loopback addresses! They could server you a web page, stop responding on their IP, and then have the page they served you try to access the machine the browser is running on. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Really? Did you miss or forget about the whole DNS rebind attack last summer? Look it up.
No, I didn't completely miss it. It has to do with DNS-poisoning by bombarding your DNS with false answers...
But I fail to see the relation with this faulty behaviour. Or is it just a dirty fix they did with dnsmasq?
I am still busy with my script (getting sucked into it). It really looks nice now. You should really take a look at it and into zabbix as well.
I think this 127.0.0.0/8 exemption may be better for me...
Phuzion, could you do some thinking for me, as my head is exploding at the moment? _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Phuzion? _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
It has to do with DNS-poisoning by bombarding your DNS with false answers...
[...]
I think this 127.0.0.0/8 exemption may be better for me...
And how are 127.0.0.0/8 addresses not false answers? They're telling you to go to your own machine and that could be used to compromise it. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
If you want to check if DD-WRT's website is listed on the DNSBL you take its IP (83.141.4.210) and you put the octets in reverse so you do this query:
Code:
210.4.141.83.zen.spamhaus.org.
Host 210.4.141.83.zen.spamhaus.org. not found: 3(NXDOMAIN)
This means it is not listed.
If I give a spamming IP or the test-IP 127.0.0.2, I will get this answer:
Code:
# host 2.0.0.127.zen.spamhaus.org.
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
2.0.0.127.zen.spamhaus.org has address 127.0.0.4
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
_________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Ah, so DNSBL is a security method that's insecure by design. :lol:
It seems that instead of rebinding, a site could just send you to a domain that the DNSBL will redirect to your localhost for them.
Well one second of the DNSMasq man page turned this up.
--rebind-localhost-ok
Exempt 127.0.0.0/8 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable these services.
There's also the option of changing the DNS servers of the machine using DNSBL so that it will bypass DNSMasq so that you don't expose other machines to rebinding. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Ah, so DNSBL is a security method that's insecure by design.
One shouldn't underestimate the ingenuity of a good hacker, but as far as I can gather the returning of a 127.0.0.1 is only a threat for machines that are running webservices on the same machine as they are browsing. BTW... It returns 127.0.0.2 not 127.0.0.1
I think that not accepting a 127.0.0.0/8 address is just a 'symptom fix' of dnsmasq instead of the real solution which is keeping a table of IP-addresses for which it should accept queries. It only needs to listen to DNS-servers it has queried. Before it would just accept an answer coming from anywhere. A typical SOHO-router only queries 2 DNS-servers (their ISP's). That's why Bind needed an upgrade.
Bombarding a victim or their ISP's DNS-server with DNS-answers for a bank can lead them to a fake site.
But if this solution DNSmasq is using would be the right one it would mean all the DNS-servers had the same behaviour. They don't.
BTW. DNSmasq does some other strange things. If I query it with an unexisting domain without the trailing dot, it will append the local domain to it. Which is really not what I want.
Do you know how I can turn that off? _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Ah, so DNSBL is a security method that's insecure by design.
One shouldn't underestimate the ingenuity of a good hacker, but as far as I can gather the returning of a 127.0.0.1 is only a threat for machines that are running webservices on the same machine as they are browsing. BTW... It returns 127.0.0.2 not 127.0.0.1
Not necessarily web services, I'm pretty sure that between flash, java, and silverlight the browser can communicate with raw data for any service. I'm not sure if there's any ways to exploit rebinding with anything other than a browser.
The entire 127.0.0.0/8 block is loopback to the localhost (so wasteful!) so it doesn't matter what the host bits are.
You lost me after that in what seems to be a mash up of DNSMasq's rebind blocking vs Bind accepting answers from anywhere which are totally different problems. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)